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Abstract 

In this paper we propose a method to construct logarithmic signatures 
which are not amalgamateci transversai and further do not even have a 
periodic block. The latter property was cruciai for the successful attack on 
the system MST3 by Blackburn et al. PQ. The idea for our construction 
is based on the theory in Szabó's book about group factorizations |12j . 



1 Introduction 

In the 80's Magliveras, Stinson and van Trung introduced two public key cryp- 
tosystems, MST\ and MST2, based on factorizations, covers and logarithmic 
signatures, of finite nonabelian groups |9|. Recently, Lempken, Magliveras, van 
Trung and Wei \§\ developed a third cryptosystem, MST 3 . 

A main question is how to produce covers and logarithmic signatures for a 
group. Blackburn et al. [1 suggested a construction of so called amalgamated 
transversai logarithmic signatures from exact transversai logarithmic signatures 



(for the definition see Section 4.1l. Based on the use of these amalgamated 
transversai logarithmic signatures they presented a successful attack on the 
system MST 3 . 

In this paper we propose a method to construct logarithmic signatures which 
are not amalgamated transversai and further do not even have the property of 
being periodic, which was cruciai for breaking the system MST3 (see cases 2 
and 3 in subsection 4.3 in [T]). The idea for this construction is based on the 
theory in Szabó's book about group factorizations |12j . 

The paper is organized as follows: In Section [2] covers and logarithmic sig- 
natures will be introduced and some basic faets will be presented. We shortly 
introduce the cryptosystem MST3, for further information see also (S] or [T]. 
Then we introduce the in [6J proposed platform groups, the Suzuki 2-groups. 
The question of how to construct logarithmic signatures will be the main issue of 
Section |4j In Section [5] we present the method for the construction of aperiodic 
logarithmic signatures. We will close with some final thoughts and remarks on 
further research in Section [6] 



2 Covers and logarithmic signatures 

The cryptosystem MST3 is based on the use of covers and logarithmic sig- 
natures. We will introduce them in this section and give a short overview of 
necessary results. Further information can be found in [2], [B], [7], [5] and [S]. 
Throughout this paper, G denotes a finite group and every set is assumed to be 
finite. 
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Let K C G and a = [Ai, . . . , A s ] be a sequence of sequences A^ = [a^i, . . . , <ii,rj 

s 

with j £ G, such that ^ |Aj| is bounded by a polynomial in [log \K\~\. Then 

a is a cover for K C G, if every product 01 ^ • • • a Sj j s lies in K and if every 
g E K can be written as 

g = ai tjl ■ ■ ■ a 3 j B (1) 

with ji E {1, . . . , \Ai\}. We denote the set of ali covers for K C G by C(iT|G). 
If, moreover, the tuple (ji, ...,j s ) is unique for every k E K then a is called 
a logarithmic signature for K. The set of ali logarithmic signatures for K is 
denoted by A(K\G). 

We cali the product aij, • • ■ a s Js in a factorizatìon of g w.r.t. a. Two 
factorizations a\j 1 ■ ■ ■ a s ,j s an d a\ t h t ■ ■ ■ CL s ,h s °f 3 are different if (ji, . . . ,j s ) 7^ 
(/il, . . . , h s ). (Note that for a — [[a, a], [6, 6]] the element aò has four different 
factorizations a • b.) 

If a = [Ai, . . . , A„] E C(if|G) with r % := |A,| for ali i € {1, ... , s], then the 
sequence A, is called a 0/ a and the sequence (ri, ... , r s ) the fj/pe 0/ a. 

The length of a is 

s 

»=i 

Covers of minimal length are noteworthy due to the fact that less memory 
capacity has to be used. The interested reader is referred to [7] for information 
on this issue. 

For the application in cryptography the following distinction is made. A 
logarithmic signature j3 E A(K\G) is tame if every g € K can be factorized 
polynomial in [Zogl-fTl] w.r.t. to /3, otherwise /3 is called wild. 

The following map a is used during the encryption and decryption procedure 
of the cryptosystem MST3. Later on we will identify factorizing w. r. t. a cover 
a with inverting a. 

Let a = [Ai, . . . , A s ] E C(K\G) be a cover for K C G of type (ri, ... , r s ) 
with Aj = [«ji, . . . , <ii,rj an d let 

s i— 1 

m := J^J ri, mi := 1 and rrij := r; for ali i E {2, . . . , s}. 

i=l i=i 

Let T a be the canonie bijection from Z ri X • • • X !2 r to ^771 j 1. 6. 

s 

r a : Z ri x • • • x Z,. s -> Z m ,r Q (ji, . . . ,j s ) := ^ jjTraj. 

t=i 

That is a generalization of n-ary representations. Let à : Z TO — » be the 
surjection: 

à(x) := a 1Jl+1 ■ ■ -a s j s+1 , where (ji, . . .,j s ) = t~ 1 (x). 

Note that t" 1 can be computed efficiently (using Euclid's algorithm) and 
therefore the same is true for à. Moreover, the map r a does only depend on the 
type of a, i. e. for a, fi E C{K\G) we have 

T a = Tp a and /3 are of the same type. 
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Let g G G and let a g be the number of pairwise different factorizations 
aijx ■ ■ ■ as,j a of g w.r.t. a. Then g has exactly a g different preimages w. r. t. ao 
T a , namely the tuples . . . ,j s ) with g = <Xxj x ■ ■ ■ a SJs . That is the connection 
to equation (JIJ). Therefore, a logarithmic signature /? G A(K\G) is tame if we 
can compute /3 _1 polynomial in |7o<?|AT|] . 

For T G {C, A, . . . } we use the notation 

F{G) :=F{G\G). 

3 The cryptosystem MST 3 

Alice chooses a public non-abelian group G with large center Z and generates 

• a tame logarithmic signature j3 — [Bi, . . . , B s ] G A(Z) of type (ri, ... , r s ) 

• and a random cover a = [Ai, . . . , A s ] £ C(K\G) for a subset K of G with 
CLijt G G\Z for ali i G {1, . . . , s} and j'^ G {1, . . . , fj}, which is of the same 
type as /?. 

Then she chooses random elements to, . . . ,t s G G\Z and computes the following 
covers: 

• a = [Ai, . . . , Ag], whereat A, = t~\Aiti for ali i e {1, ... , s}, 

• 7 := [Hi, . . . ,H S ] with H l := [h lA à lA , . . . ,b^ ri a in ] for ali i e {1, ... , s}. 

The public key is (a, 7) and the private key is (/3, io, ... , t s ). 

To encrypt an element x G Z|2|, Bob computes yi = à(x) and t/2 = 
and sends y = {y 1,1)2) to Alice. 

Alice decrypts y by calculating /3 _1 (y2ÌJ 1 yr 1 *o) which equals x. As /3 is 
tame, the decryption-algorithm is efficicnt. 

The cryptographic hypothesis is the problem of factorizing w.r.t. the ran- 
dom cover a. Furthermore it has to be hard for the attacker to reconstruct the 
private key by using the public key. For information on these two issues we refer 
the reader to pQ, [5] and |10| . 

Remark 3.1 Lempken, Magliveras, van Trung and Wei [6 demand two addi- 
tional properties. 

Firstly the group G should not be a direct product of Z and a subgroup 
U < G, otherwise the system could be weakened using Schreier-trees [B]. 

The second assumption is a>i,j(h~i Z for ali i G {1, ...,s} and j =^ /. 
However, Blackburn et al. pQ didn't use that property for their attacks, because 
it holds for a large number of public keys and it is not required during the 
encryption and decryption process. 

Lempken et al. [6] suggested the use of Suzuki 2-groups (see also |4] and [5]) 
as platform-groups for the system: 

Let 9 7^ id be an odd order field automorphism of ¥ q (q = 2"). We then 
define the Suzuki 2-group as 

G:={S(c,d) :c,d£¥ q }, 
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where 

fi 

S(c,d) := c 1 
\d c 6 1 

Lemma 3.2 The center Z(G) = {S(0,d) : d e ¥ q } is an elementary abelian 
2-group. 

We will now concentrate on the construction of /3 and we will restrict us, mo- 
tivateci by the Lemma [3. 2[ to elementary abelian 2-groups, although ali results 
in Section [5] hold for every abelian group. 

4 Classes of logarithmic signatures 

4.1 Exact transversai logarithmic signatures 

A logarithmic signature (3 = \B\, . . . , B s ] for a group G is called l-exact transver- 
sai [r-exact transversai) if there is a subgroup chain 

G = G > Gì > ••• > G s = {1}, 

such that Bi is a left (right) transversai of Gì in Gj_i for ali i € {1, . . . , s}. A 
logarithmic signature is said to be exact transversai if it is l-exact transversai 
or r-exact transversal. We denote the set of ali exact transversai logarithmic 
signatures for a group G by £T(G) . 

Remark 4.1 The block B s of an exact transversai logarithmic signature f3 is 
a subgroup of G, more precisely B s = G s -\. Moreover, . . . , £? s ] is an exact 
transversai logarithmic signature for G;_i. 

4.2 Amalgamateci transversai logarithmic signatures 

Let /3 = [Bi, . . . , B s ] be an exact transversai logarithmic signature of type 
(ri,...,r s ) for an abelian group G. Blackburn et al. [lj define the following 
operations on (3: 

• permute elements within each Bi, 

• permute the B t , 

• replace Bi by a translate Big for some g E G, 

• amalgamate two sets Bi and £?j by the single set Bi ■ Bj := {gh | g E 
B h h€Bj}. 

The logarithmic signatures that are constructed from an exact transversai log- 
arithmic signature by applying a finite number of the four previous maps are 
called amalgamated transversai logarithmic signatures, see pQ. We will denote 
the set of amalgamated transversai logarithmic signatures for a group G by 
AT{G). 

The amalgamated transversai logarithmic signatures have the special prop- 
erty of being periodic, which Blackburn et al. [I| used to break MST% under 
the assumption that the platform-group G is a Suzuki-2-group. A subset B of 
an abelian group G is called periodic if there exists a g e G\{1} (the period) 
with gB = B. Let P(B) := {g e G\{1} : gB = B} he the set of periods of B. 
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Proposition 4.2 (Blackburn et al. pQ, Lemma 2.1) Let G be an abelian group 
and j3 £ AT{G). Then at least one of the blocks Bi of j3 is periodic. 

Blackburn et al showed that every amalgamateci transversai logarithmic sig- 



Theorem 4.3 (Blackburn et al. pQ, Lemma 2.2) Let G be an elementari/ abelian 
2-group. Every logarithmic signature j3 £ AT(G) is tame. 

5 Constructing aperiodic tame logarithmic sig- 
natures 

Since the usage of amalgamateci transversai logarithmic signatures leaves the 
cryptosystem insecure, we are in need to find new ways of constructing tame 
logarithmic signatures. preferably some without periodic blocks. In this section 
we introduce an algorithm to construct tame logarithmic signatures without 
periodic blocks. 

As in a logarithmic signature f3 every group element is at most once in a 
block and as the position of the element inside a block is irrelevant for the 
tameness of /3, see Theorem 4.4, we will consider sets instead of sequences. 

We cali a logarithmic signature f3 £ A(G) aperiodic if non of the blocks Bi 
is periodic. The set of ali aperiodic logarithmic signatures for a group G is 
denoted by A(G). 

Theorem 5.1 (Szabó [TS], Theorem 7.3.1) Let G be an elementari/ abelian 2- 
group. There exìsts an aperiodic logarithmic signature j3 of type (ri, . . . ,r s ) with 
ri > ■ ■ ■ > r s > 2 if 

• s = 2 and r2 > 8 or 

• s > 3 and ri > 8, r s > 4 holds. 

There does not exist an aperiodic logarithmic signature of type (ri, . . . ,r s ) with 
n > ■ ■ ■ > r s > 2 if one of the following cases holds: 

• r s = 2, 

• s = 1, 

• s = 2 and r-i\^, 

• s > 3 and r± |4, . . . , r s |4. 

We are going to use the idea of the proof of this theorem to construct tame 
aperiodic logarithmic signatures for elementary abelian 2-groups, for example 
for the center of a Suzuki 2-Group. 

5.1 The algorithm 

Now we are presenting the algorithm which constructs a new logarithmic signa- 
ture out of a subgroup and a left transversai of that subgroup. The realization 
of some rather vague steps in the algorithm, namely the construction of 5 and 
ali Q/O'i'--- w jn k e discussed in the last part of the paper. 
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Algorithm 5.2 We start with an abelian group G, choose a subgroup U of G 
and a transversai R of U in G. Then we generate 

S=(D 1 ,...,D S )€A(R) 

with 

of type (ri, . . . ,r s ) and logarithmic signatures 

a^-^) : = (4 jl) ,...,4 Js) ) e A([/) 
for ali (j u . . . , j s ) G {1, . . . ,ri} X • • • x {1, . . . , r s }. We get /3 (Si, . . . , B s ) by 
fi! :=d 1 . 1 4 1) U---Ud 1 , ri 4'' l) ,'- - , 

Notice that we needed ali the logarithmic signatures q^'i»— tf») to be able to 
produce an aperiodic logarithmic signature. 

Example 5.3 We choose G = (u,v,w,x,y, z) — 2 6 , U — (u,v,w,x), R — 
{1, y, z, yz} and set 

Di :={1,2}, D 2 :={l,y}. 

and 

A^ 1 ' := {1, u, v, uv}, := {1, w, x, wi}, 

:— {1, uro, wx, tows}, ylj 2 ' 1 := {1j ™w, ì)wi}. 

We get 

Si := {1, u, v, uv, z, wz, xz, wxz}, Ri := {1, uw, vx, uvwx, y, uxy, uvwy, vwxy}. 

Neither of these two blocks is periodic. It follows that f3 E A(G) of type (8, 8). 

Theorem 5.4 The sequence (3 constructed by the algorithm \5.H!\ is a logarithmic 
signature for G of type (li, . . . , l s ), where li = X)j=i I^P'l- 

We denote a logarithmic signature which can be obtained from U and R by 
the construction above decomposed and reunited out of U and R, shortly d.r., 
and we denote the set of logarithmic signatures for a group G which are d.r. by 
VK G {U,R,£(U\G),T(R\G)) where £, J" e {A, ET, AT, ...}. 

Remark 5.5 Every logarithmic signature j3 = (B\, . . . , B s ) e A(G) is d.r. out 
of U = G and R = {1}: Set 8 = (1, ... , 1) and Af ] = B. L for alli = 1, . . . , s. 

An immediate question is how the choice of U and R infìuences the set 
T>1Zq(U, R, £(U\G), T(R\G)). Another question is which logarithmic signatures 
are constructible out of the pair (U,R) when we choose 7 and a" 1 '"'' 3 '*' to be 
for example exact transversai only. 

It is possible to construct an aperiodic logarithmic signature by using only 
total exact transversals, i.e. exact transversals where every block is a subgroup, 
see Example |5.3| above. 

Proposition 5.6 A logarithmic signature which is d.r. is tame if 5 and ali 
a Ui:---,js) are i ame anc l if for every g e G the coset representative in R which 
lies in the same coset as g can be found efficiently. 
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5.2 Aperiodicity of f3 



From now on we assume that /3 = (B±,...,B S ) is constructed by the algo- 
rithm 15.21 and we use the notation introduced there. Next we summarize some 
basic facts. After that we show how to choose the sets to force the non- 
periodicity of Bi . 

Lemma 5.7 We have d^jdi k ^ U for ali i = 1, . . . , s and j, k = 1, . . . , r» with 

Proof. We assume that there are i and j ^ k with d^d^. € U. We consider 
the two factorizations 



di,i ■ ■ ■ di—i t idi t jdi+\ ; i ■ ■ ■ d S; i and d\ \ ■ ■ ■ di_i,x(ii,fedi+i,i ■ ■ ■ d s ,i- 

These elements of R are in different cosets of U in G. On the other hand we 
have 

(di t \ ■ ■ ■ di-i^idijdi+x^i ■ ■ ■ d Sì x) 1 d\^\ ■ ■ ■ di-i t \di^kdi+iA ■ ■ ■ d S A — d i jdi^k G U, 
which is not possible. □ 

Lemma 5.8 Let A, B < G. Then A — B if and only if there exists an element 
g e G with gA = B. 

Lemma 5.9 If Bi is periodic with period g € G, then for every dijA^ there 
is a k G {1, . . . , r^, such that 

gd itj A\ j) = d itk Af\ 
If additionally A^\A^ < G holds, then A^ = Af ] . 

Proof. Assume there is no such k. Then we have ai, ai G A^ with ai ^ ai and 
b G A^f \ c G Ay' for e ^ i, such that gdi^a\ = di. e b and gdija^ = dj./c. F rom 



that it follows d i Idi e = ca 2 1 a 1 b 1 e U, which is a contradiction to Lemma 
This shows the first statement. The second part follows from Lemma p 
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To describe the periodic signatures /3 we introduce for i € {1, ... , s} the set 
D?> :={d hk :A^=A^} 

of elements di t k that have the same corresponding subset A\ . Then we imme- 
diately obtain the following: 

Lemma 5.10 Bi is periodic if one of the following holds: 

(1) h p(a [ p)^%. 

3=1 V ' 

(a) h p * 0. 

j=l v / 

The special case = 2 or 3 and pairwise different subgroups A+' of the 
following theorcm was proven in cooperation with Anja Nuss 
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Theorem 5.11 Let < G for ali j £ {1, . . . , ri}. Then Bi is periodic if and 
only if 



f] P (X^) 

holdsfor atleast onen-tuple (X^\ . . . ,X< r ')) e j^lf 5 , £>f ) | x • • -xjvlf^Ijf'H. 



Proof. One part of the equivalence follows from Lemmas |5.9| and |5.10| 

Now assume that Bi is periodic. Let g e G be a period of i^. By Lemma 
we have for every j and = {dijii ■ ■ ■ , di.j k } that 
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(i) 



9 (dij.A^ U • • • U di, jh A^) = di, h A { p U • • • U 

Moreover, every di^A^ is mapped to a di^ r A^p by multiplication with g. 
Therefore g must be either an element of Af\ i.e. g e P (^i ) or 5 permutes 



the clements of D^, i. e. 9 eP (-D^) ■ 



□ 



An immediate consequence is the following equivalence. 



Corollary 5.12 Let A { p < G for ali j € {1, . . . ,rj and A { P ] ^ } for ali 
j, k € {1, . . . , ri} with j k. Then B t is periodic if and only if 



ri p ( a . j ) + 



3 = 1 

□ 

If at least one A\^ is not a subgroup of G, then the statement of Theorem 
|5.11| does not hold anymore. The following example shows that we can already 
get a periodic block when r*j = 2. 

Example 5.13 We choose G := (u, v, w, x, y, z) — 2 6 , U = (ti, v, w, x) and set 
A^ := {1, u, v, uvw}, A^ := {u, 1, iti», du/} = u, -1 ^ 1 ^ 

and 

D! :={l,y}. 

Then we get 

B\ = di t \A^ U di.2^4 1 2 ' 1 = {1, w, u, uvw, uy, y, uvy, vwy}, 

which has the period uy. But the other conditions of Theorem |5 . 1 1 1 are fulfilled 
because of 

p(dP)=p(dW)=p(aP)=p(aW 



If we set 

A% := A^ := {1, w, x, wx} and D 2 := {1, z}, 
then we get a logarithmic signature for G. 
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Next we generalize Theorem |5.11| For G a group and A, B C G we say that 
A is a multiple of £> if there is a g e G with = B. Notice if B is a subgroup 
of G and A a multiple of B, then A is a left coset of B in G. We say that a 
multiple A of £? is proper, ii A ^ B. 

Lemma 5.14 //-B^ is periodic with period j£G, if is not a proper multiple 
ofAf ] and ifgdijA^ = d i>k A^ , then A® = Af\ 

Proof. That follows immediately from the previous definition, because of d~^gdi jA 
A™. ' ' □ 

Theorem 5.15 Suppose that A± is not a proper multiple of A *" for ali j, k £ 
{1, . . . , 7"j}. Then Bi is periodic if and only if 

fi 

fi P ^ 



/or ^ /eas£ one r 4 -tep/e (xW,. . . ,X< r ')) e {a^, L> ( (1) } x ••• x j 

Proof. The proof is analog to the one of Theorem |5.11| but we have to use 
Lemma 15.141 instead of Lemma 15.91 □ 

Corollary 5.16 Suppose that A± is not a multiple of A^ for ali j, k e 
{1, . . . , ri}. Then Bi is periodic if and only if 

5.3 Concret construction for G elementary abelian of or- 
der 2 n . 

We will construct aperiodic logarithmic signatures for elementary abelian 2- 
groups G. Such a logarithmic signature has already been constructed in Exam- 
ple 5.3 for G = 2 6 . Now we generate one for G — 2 7 and then use these two 
logarithmic signatures to construct tame aperiodic logarithmic signatures for ali 
groups 2" with n > 6. 

Example 5.17 (see also Szabó [T2], Theorem 7.3.1) We choose G — (t, u, v, w, x, y, z) = 

2 7 , U = (u, v, w, x,y,z), R= {1, t] and set 

A^p := {1, v, wx, vwx}, A^ := {1, w, vz, vwz}, 
A 2 ] : = {hx,y,xyz}, 
A^f 1 := {1, z, u, zuw\. 

and 

Dx :={l,t},£> 2 :={1}, D 3 :={!}. 
The rcsulting logarithmic signature (3 is aperiodic of type (8,4,4). 
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General construction. Let G = 2™ be an elementary abelian group of order 
n and let B — {gì, . . . , <?„} be a generating set for G. We now decompose G in 



the following way: 



G = Ux x • • • x U s x Di x • • • x D s 



where U± x Di is a sm all g: 



roup with a known aperiodic logarithmic signature 



j3' (see Examples 5.13 and 5.171 and 2 < |A| < JlLÌ l^jl for « e {2,...,s}. 

Thcn we choose for every i G {2,...,s} a subset := {fcf \ . . . , fcf i} } C 
(Di x •■■ x f/j_i)# of size ^ := |Dj|. We construct the logarithmic signature 



/3 = [/?', i?2, • ■ • , -B s ] using Algorithm 5.2 by setting 

<5:= [D 2 ,..., DJ, 
:= {1} U {fcp } w : u e L/f }, for i = 2, . . . , s and j = 1, . . . , n. 

Then no A*f' is the multiple of an A^p for some Z ^ j. Therefore, Corollary 
|5.16| implies that the resulting logarithmic signature (3 for G is aperiodic. 

For security and Storage issues it seems to be reasonable to choose small 
subgroups Ui and Di. Furthcr, one should apply some of the operations from 
subsection |4.2| to (3 to hide the subgroup Ui x Di, more precisely, the blocks of 
the logarithmic signature j3' , otherwise an attacker could obtain a periodic (and 
therefore tame) logarithmic signature for G j x Di). 

If we want to store this logarithmic signature we are only in need to store a 
minimal generating set B = Lìf^Bi of G such that the subsets B\ generate Ui 
and Di , respectively, and the information which elements of B generate which 
subgroups Ui and Di. The latter can be provided for examplc by a tuple v € Z 2s . 
and a strict total order on the F2-vector space e.g. the lexicographical order, 
because the position of the elements is needed for the factorization. 

Factorization. We define V{ := Ylk=i Vk anc ^ use * ne f°ll° w i n g algorithm: 

Let y = K-eig) be the coordinate vector of g w.r.t. B 
Let j e Z s_1 be the tuple consisting only of ones 
for i = s + 1 to 2s — 1 do 
for l = 1 + Vi to V i+ i do 
if yi = then 

Ji — s — Ji—s T * 

Let h e Z s_1 be the tuple consisting only of ones 
for i = 1 to s — 1 do 
hi =hi + (ji - 1)2^ 
for l = 1 + Vi to V i+ i do 
if yi = thcn 

hi = hi + 2"-- ( '- y * ) 

Now we need to factorize the projection y' of y onto Z7i x Ri which yields 
x = Tp, 1 ^') where y' — /Ce'(ff') and 8'CBa generating set of Z7i x Ri. 
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Altogether we get T /3 1 (g) = (x, hi, . . . , /i s -i) an d from that we receive 

Note that we have to treat (3' differently, but since U\ x Di is small, we get 
the requested element in the factorization efficiently (meaning in 0(log2\G\)) by 
an exhaustive search. 

Complexity. Under the assumption, that comparison and arithmetic in Z can 
be done in O(l), we can compute the complexity of the factorization-algorithm 
in the following way (worst case): 

2s-l Vi+i s-1 / V»+i 

J2 ( w * - 1 + Vi + 4 ) + J2\ vì +ì + 3 + J2 ( v ì~ 1 + v ì+ 4) 

i=s+ll=l+V, i=l \ l=l+Vi 

2s-l V i+1 V s+1 s-1 

= 12 E (vi-i + Vi+q- Yl (v.-* + v;+4)+ j> i+ i + 3) 

i=l i=l+V 4 i=l+V s »=i 

2s-l / V, + i \ / V s + 1 \ 

= S «ì+i(«ì + ^+ 4 )- E M- + v; + 4)- 51 M + x 

»=i \ /=i+v, / \ ;=i+y 3 / 

= E + ^ + 4 ) - ^«ì+iVì + E z ) ) - Y + x 
= J2 - ) + E - r + x 

7 ( 

< M ■ n + -n — Y + X where M = max v. 

2 y i 

s-1 ( V s + 1 \ 

withX:= E(«i+i+3),y := t>.+i(v a + V, +4) - E I and 

i=l \ i = l + V s / 

-F + X = - ^s+l«s + 4W S +1 - Q(«s+l)(«s + l + *))) + E(^+l + 3 ) 

= 3s + Y v ì+i - ( v s + ^ - ^ Ws+1 ) Vs+1 ~ 3 

z— 1 ^ ... / 

< 4n - (v s + ^ - «s+i 

Since every i>j is supposed to be small, especially v s +i, M will also be small 
and v s + | — \v s+ i will be nonnegative, independent of n. So in that case the 
runtime of the factorization-algorithm is 0(n) = 0(log2\G\) and, therefore, fi is 
tame. 

6 Conclusion 

We presented a new way to construct tame logarithmic signatures. The advan- 
tage of this method is the possibility to produce aperiodic logarithmic signatures 
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which resist the attack proposed in pQ. Although, one is in need to store S and 
ali a^ 1 '"'^'^ to factorize with respect to /3, this is also an aspect of security, 
because an attacker doesn't know those elements used during the construction 
but is in need to find them for being able to factorize w.r.t. /?, as far as we 
know. 

Further, we showed how to get a hugc number of apcriodic tamc logarith- 
mic signatures by using the proposed algorithm. Although, those might not 
be enough, the fact that we mainly used exact transversai logarithmic signa- 
tures for the construction of our examples implies the assumption that many 
more aperiodic logarithmic signatures might be gained when using for example 
amalgamated transversai logarithmic signatures. 

Stili, it is not clear if the proposed algorithm has any weaknesses in view 
of the reconstruction of 5 and the a^ 1,m "'^*' from a given j3 because of the 
known structure of the algorithm, although we conjecture that keeping the used 
generating set B a secret makes it hard to extract any information. Further, we 
don't know if j3 is tame whether or not one knows 5 and a^ 1 ''"'^', which is also 
an important issue for an attacker. 
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